MediumPublic exploit

Reflected XSS in cPanel cpsrvd error page

IdentifiersCVE-2023-29489CWE-79· Improper Neutralization of Input…

CVE-2023-29489 is a reflected cross-site scripting vulnerability in cPanel affecting versions before 11.109.9999.116. The issue occurs on the cpsrvd error page when it processes an invalid webcall ID, allowing attacker-controlled input to be reflected into the response without proper neutralization. The content indicates the flaw is exploitable without authentication. Fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause arbitrary script execution in the victim’s browser in the security context of the affected cPanel interface or origin serving the vulnerable error page. This can enable session theft, credential harvesting, unauthorized actions on behalf of the victim, UI redressing, and access to sensitive data exposed to the browser session. Because the issue is reflected XSS and unauthenticated, it is suitable for phishing or lure-based delivery against users who can access the vulnerable interface.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of cPanel and related web interfaces to untrusted networks, restrict access to trusted IP ranges or administrative VPNs, and monitor for requests containing malformed or invalid webcall ID values targeting cpsrvd error handling. Because this is reflected XSS, user-awareness measures and filtering or blocking suspicious crafted links can reduce risk, but patching is the primary mitigation.

Remediation

Patch, then assume compromise.

Upgrade cPanel to a fixed release. The content identifies the fixed versions as 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31. Systems running earlier affected builds should be updated to the appropriate patched branch as soon as possible.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).

VALID 1 / 2 TOTALView more in app

CVE-2023-29489MaturityPoCVerified exploit

This repository contains a Python script (cve_2023_29489.py) and a README.md. The script is an operational exploit for CVE-2023-29489, a cross-site scripting (XSS) vulnerability in cPanel. The exploit takes a list of target hostnames or IP addresses (provided by the user in a file), and for each, attempts to access the /cpanelwebcall endpoint with a crafted XSS payload. If the payload is reflected and triggers a JavaScript prompt, the host is considered vulnerable. Results are printed to the console, saved to CVE-2023-29489.txt, and vulnerable URLs are opened in the default web browser. The script uses multithreading for efficiency and provides colored terminal output. The README provides installation and usage instructions for both Kali Linux and Termux environments. No hardcoded target endpoints are present; the script is designed for mass scanning of user-supplied cPanel hosts.

0-d3yDisclosed May 17, 2023pythonnetwork

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

CpanelCpanelapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

cyfirma otherNews

Oct 18, 2023

ISRAEL GAZA CONFLICT : THE CYBER PERSPECTIVE - CYFIRMA

A reflected cross-site scripting vulnerability in cPanel that can be exploited without authentication; the report highlights hacktivists sharing a target list and an exploit for Israeli websites affected by it.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2023-29489

NVD

nvd.nist.gov/vuln/detail/CVE-2023-29489

MITRE CWE · CWE-79

Improper Neutralization of Input During Web…

Vendor Advisory

forums.cpanel.net/threads/cpanel-tsr-2023-0001-full-disclosure.708949

Exploit

blog.assetnote.io/2023/04/26/xss-million-websites-cpanel